The downloader binary is responsible for downloading (and executing) the final FAKEAV payload. Interestingly, an important part of the download URL—the IP address—is stored not within the downloader binary. Instead, the host IP address is stored at the end of the above-mentioned .PNG file.

The data appended at the end of the .PNG file is encrypted using a simple cipher, the encryption key to which can be found in the downloader binary. When decrypted, the data looks like this:

The decrypted data reveals two sets of information:

The IP addresses from which the final FAKEAV payload can be downloaded

The affiliate IDs

With the IP address decrypted, the downloader binary assembles the download URL, which comes in the following form:

http://ip_address/mac/soft.php?affid=xxxxx

affid refers to a number. This affiliate ID (affid) denotes the ID of the affiliate member who is responsible for the distribution of the Mac FAKEAV.

The presence of the affiliate ID is disturbing. This means that there are already organized affiliate programs targeting Mac OS X. With these affiliate programs already in place and already operational, we can expect sustained attacks against Mac OS X users in the future.

Share this article

This entry was posted
on
Thursday, June 9th, 2011
at
5:53 pm and is filed under
Bad Sites, Mac .
Both comments and pings are currently closed.